Full Report
A new Android spyware named 'KoSpy' is linked to North Korean threat actors who have infiltrated Google Play and third-party app store APKPure through at least five malicious apps. [...]
Analysis Summary
# Threat Actor: Unnamed North Korean Actor (Associated with APT37)
## Attribution & Identity
The malware discussed is attributed to North Korean threat actors, potentially linked to APT37 based on external research cited in the article. The actor uses targeted campaigns, indicated by the use of regional language in the distributed applications.
## Activity Summary
The primary recent activity involves the distribution of sophisticated Android spyware, dubbed **KoSpy**, via official application stores. Specifically, malicious apps containing KoSpy were successfully uploaded to **Google Play** and the third-party store **APKPure** before being removed following discovery. The actor leveraged these platforms to reach targeted users.
## Tactics, Techniques & Procedures
- **Initial Access/Distribution:** Distribution via official (Google Play) and third-party (APKPure) application stores.
- **Execution/Evasion:** Retrieves an encrypted configuration file from a Firebase Firestore database to evade initial detection.
- **Command and Control (C2):** Connects to the main C2 server after initial checks.
- **Dynamic Control:** Capable of receiving updated settings, additional payloads, and dynamic activation/deactivation via an "on/off" switch from the C2.
- **Anti-Emulation:** Runs checks to ensure it is not operating within an emulator environment.
- **Data Collection/Exfiltration:** Extensive data capture capabilities via device functions.
- **Data Obfuscation:** Data exfiltrated to the C2 is encrypted using a hardcoded AES key.
*Note: Specific MITRE ATT&CK IDs were not directly provided in the text.*
## Targeting
- **Sectors:** Not explicitly defined, but the use of regional language suggests targeted operations potentially focused on specific demographics or organizations within a particular geographic area.
- **Geography:** Implied focus on regions where the targeted language is spoken.
- **Victims:** Users who installed the malicious applications from Google Play or APKPure.
## Tools & Infrastructure
- **Malware Families Used:** KoSpy (Android Spyware).
- **Infrastructure:**
- **Initial Configuration Retrieval:** Firebase Firestore database (each app uses a separate project).
- **Command and Control (C2):** Dedicated C2 servers used for primary communication and payload delivery.
- **Data Exfiltration:** C2 servers, accepting data encrypted with a hardcoded AES key.
## Implications
This actor demonstrates high intent and capability in compromising mobile devices. Successfully distributing malware via the Google Play Store indicates maturity in bypassing platform security checks, suggesting a focus on high-value mobile targets, likely for espionage or intelligence gathering, consistent with state-sponsored activity.
## Mitigations
- Users must manually uninstall the identified malicious apps and scan devices with security tools for complete removal.
- In severe cases, a factory reset is recommended.
- Ensure **Google Play Protect** is enabled and running on up-to-date Android devices, as this service can automatically block known versions of the malware.